TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
If your Firewall rules are set correctly, as in DO NOT REPLY TO UDP
Requests for certain services, one should be fine, the fact that you are
logging the event is good.
If you are allowing it past your External firewall that is a different
problem all together.
Refer to "Building Internet Firewalls" for an overall of various firewall
architectures, especially Chapter 8.
Setting up your firewall policy can vary based on the services that are
allowed from the internal user community out through the firewalls, versus
the External rules that allow for external customers to certain network
devices that are in your DMZ.
The big question, do you have a escalation plan documented on what to do
when certain events happen like more than 5 port scans do something.
In ISS RealSecure you can set the thresholds and if the thresholds are met
you can issue an RS_KILL command to kill the entity that is attempting to
port scan you more than 5 times. Now, if each UDP port scan event is from
a different address but within the same IP address range, it is a little
easier to implement the previously mentioned statement. If you are
observing more than 5 UDP Port scans from lots of different places,
generate an exception list, and build a ACL on your external router to
deny packets originating from xxx.xxx.xxx.xxx IP address network range.
With this rule in place, the UDP port scans will no longer get past your
external router, since the packet will be dropped on the floor, therefore
allowing you to monitor valid "Intrusion" attempts that may be creeping
into your network, but could not be observed due to "annoying UDP Port
scan" attempts.
Please refer to the SANS Briefing regarding how to prevent DDOS attacks
and how to implement different ACL's on various brand-name routers.
/mark
"Fontelera, Jaime C." <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
04/04/00 09:56 AM
To: "ISSForum (E-mail)" <[EMAIL PROTECTED]>
cc:
Subject: UDP Port Scan
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I get UDP port scan on my firewall at least 5 a day. How does one respond
to a probe ?
Any suggestions ?
Thanks,
Jaime
